At the 27th GovernmentWare (GovWare) cybersecurity conference which was held last week, participants shared their views on the growing cybersecurity challenge that has gripped nations across the world. GovWare is the cornerstone event for the Singapore International Cyber Week, the region’s most established conference and showcase for cybersecurity.
This year’s conference assumed greater significance following the major data breach at Singapore Health Services (SingHealth) where 1.5 million health records were stolen, including that of Singapore Prime Minister, Lee Hsien Loong.
While a lot of technology solutions and approaches suggested by experts during this conference, it is useful to remember that the biggest challenge facing the industry is the lack of adequate cybersecurity talent. According to a study done by Frost and Sullivan the cybersecurity workforce gap is on pace to hit 1.8 million by 2022 – a 20 per cent increase since 2015.
To discuss the talent crunch and other issues facing the cybersecurity industry, GovInsider sat down with FireEye’s Steve Ledzian, who is the company’s Technical Director for Asia. FireEye provides protection against cyber threats and responds to breaches around the world.
The people problem
According to Mr Ledzian, the hardest problem in security is the “people problem, because there simply aren’t enough experts to go around”.
“Even if you have unlimited budget and unlimited political capital to hire cybersecurity experts, in many cases they can’t be found. So some organisations try to hire junior security experts, give them training, but as soon as they become good, the market demand pulls them to other locations. So retention becomes a problem. This is a very challenging problem to address.”
He adds that a lot of organisations are looking at that challenge and thinking that their core business is not to build an elite team of cyber security experts, and based on that, are choosing to outsource their cybersecurity needs. “There are capabilities such as managed detection and response that are examples of how you could outsource the detection and response aspect of cybersecurity,” he says.
Ledzian notes that many governments recognise that lack of cybersecurity talent is a major problem and are taking efforts to build up cyber capability within their nation. “Singapore’s National Cyber Security Masterplan calls out the need to grow Singapore’s pool of infocomm security experts as a key strategic imperative. Other countries have similar efforts. I think that’s a good start to addressing this problem.”
Lessons from SingHealth hack
However, there is still some lack of awareness about the seriousness of the threats from security breaches, the FireEye official notes.
“At FireEye we respond to breaches that are happening all across the world where millions of people or sometimes hundreds of millions of people are impacted.
“In South-east Asia, there are some senior leaders who think these types of problems are only happening in the West. My initial reaction when I saw all of the news on this SingHealth breach was that the disclosure of this breach is going to bring awareness that the cyber issue is a global issue.”
So how can organisations, especially those that are designated as critical information infrastructure (CII), like banks, utilities and emergency services, protect their networks, from targeted intrusion operations, such as spear phishing attacks by government-linked APT (advanced persistent threat) groups?
One of the ways is internet separation or locking out computers and servers that have valuable information from the web. The Singapore government is increasingly taking this route to protect CIIs.
Ledzian notes that internet surfing separation is an extremely strong security control. “There are organisations that use similar things or even stronger security controls, things like air gapped networks.
“It really comes down to what kind of information you are trying to protect. How sensitive is that information? And where are you going to draw the line on the trade-off between security and convenience as with Internet surfing separation you can’t surf the Internet via a web browser. Internet separation is not unusual in organisations with exceptional security needs which face a very high risk profile.”
What are the alternatives?
Apart from internet surfing separation, there are other security controls, Ledzian says. “There are security operation centres that can do monitoring, investigations, hunting, essentially raising the bar of security without necessarily having the level of convenience impact that Internet surfing separation might have.”
However, there is always a trade-off between cybersecurity versus convenience. “You can take, for example, something as simple as password changes. How frequently do I need to change my passwords? How complicated do my passwords need to be?
“There are good reasons why you need to change your passwords frequently and it needs to be a mix of certain characters and symbols. But there is a convenience impact as well and I think that that balance between security and convenience has to be approached very carefully.”
Catching the culprits
While the different strategies are all about how to prevent attacks, Ledzian agrees, that in order for there to be deterrence there first needs to be risks and repercussions for those perpetrating these attacks. However, jurisdictional problems add to the fact that many of these attackers are often linked to government agencies complicate the problem.
“There have been incidents in the US where the Department of Justice has indicted foreign hackers and in some cases those foreign hackers have been associated and linked to foreign militaries.
“In those cases even if you had a legal framework in place, it’s hard to imagine how attackers would be brought to justice when they are military officers carrying out cross-border operations at the behest of their government.”
He adds that there’s a lot of work that still needs to be done to draft international laws against cyber-attacks. “And that’s assuming you can even get the attribution in place so that you can say, I know who perpetrated this attack.
“Often that attribution is extremely difficult, and it’s because of that foreign governments are looking for new cyber capabilities. The attribution is difficult, the risk is low, and the cost is low to execute these types of cyber espionage compared to traditional espionage.”
In the meanwhile, organisations need to tighten up cybersecurity and hope to either prevent a cyberattack or interrupt successful intrusions before any damage is done, Ledzian adds.
Image from US Department of Defense